Security researchers are reporting that state-sponsored cyber actors linked to North Korea have stolen unprecedented amounts of cryptocurrency in 2025, with analysts estimating these groups have taken more than $2 billion so far this year1. This staggering figure is anchored by a single, massive heist in February, where hackers associated with the Lazarus Group stole $1.5 billion from the cryptocurrency exchange Bybit2. The scale of these operations underscores a sustained and highly effective campaign by the Democratic People’s Republic of Korea (DPRK) to fund its national priorities through digital crime, directly impacting global financial security.
The Bybit Heist: A Case Study in Scale and Sophistication
The attack on Bybit, the world’s second-largest crypto exchange, represents one of the largest thefts in the history of cryptocurrency. On Friday, February 21, 2025, the Lazarus Group, also known as Labyrinth Chollima, siphoned 401,000 Ethereum tokens during a transfer from a cold storage wallet to a hot wallet2, 5. The immediate and aggressive laundering of the funds demonstrated a high level of operational readiness; within the first weekend, over $160 million was being moved through decentralized exchanges (DEXs), cross-chain bridges, and non-KYC exchanges like eXch to obfuscate the trail2. In response, Bybit’s CEO Ben Zhou stated the firm remained solvent, covering the loss through loans while working with regulators and law enforcement. The company also initiated a recovery effort, offering a 10% bounty, which led to the recovery of approximately $43 million with the help of security partners in the initial days following the breach2.
Historical Context and Funding of State Programs
The 2025 thefts are not an anomaly but a continuation of a well-documented trend. According to a Chainalysis report from December 2024, North Korean hackers stole a record $1.34 billion in cryptocurrency across 47 incidents in 2024 alone, accounting for 61% of all crypto stolen that year4. The previous year, 2023, saw an estimated $1 billion stolen7. The cumulative total stolen by these actors now exceeds $2 billion1. The primary motive for these operations is clearly established: to fund North Korea’s nuclear and ballistic missile programs. A White House official stated in 2023 that about half of the country’s missile program has been funded by these digital heists2, 3, making cybercrime a cornerstone of the nation’s defense strategy.
Evolving Tactics and Strategic Shifts
Analysis from multiple security firms indicates a strategic evolution in the tactics of DPRK-affiliated groups. There has been a noted shift from primarily targeting decentralized finance (DeFi) platforms to focusing on centralized services like major exchanges4. Furthermore, these groups have increasingly employed “supply chain attacks,” such as the 2023 breach of IT management company JumpCloud, to gain initial access to multiple cryptocurrency clients simultaneously4, 9. This approach maximizes impact and demonstrates a mature targeting methodology. Interestingly, data from Chainalysis suggests a potential drop in DPRK hacking activity after July 2024, a period that coincided with a summit between Kim Jong Un and Vladimir Putin, hinting at a possible reallocation of resources or a shift in state priorities4.
“We’ve never seen anything on this scale before. The current strategy from governments and industry clearly isn’t working… People should be going back to the drawing board right now on how to deter and punish North Korea for these hacks.”
— Nick Carlsen, TRM Labs (former FBI analyst)2, 3
Relevance and Remediation for Security Professionals
For security teams, the operational patterns of groups like Lazarus are critical for building defensive strategies. The focus on supply chain attacks highlights the need for rigorous third-party risk management and stringent access controls for IT management software. The rapid laundering of funds through DEXs and cross-chain bridges points to the importance of real-time transaction monitoring and collaboration with blockchain analytics firms. While the direct exploitation techniques used in the Bybit hack are not public, the overarching attack vectors—credential phishing, software supply chain compromise, and social engineering—remain primary concerns. Defensive measures must include robust multi-factor authentication, strict principle of least privilege enforcement, and comprehensive security awareness training to mitigate initial access vectors.
The continued success of North Korean cyber operations signals a failure of existing deterrence frameworks. The sheer volume of stolen assets, which now funds a significant portion of a nation’s weapons program, elevates these activities from cybercrime to a matter of national and international security. The call from experts like Nick Carlsen for a fundamental re-evaluation of deterrence strategies is a clear indicator that the status quo is insufficient. As these state-sponsored groups continue to refine their methods and increase their ambitions, the global community must develop more effective responses that encompass diplomatic, economic, and technical domains to counter this persistent threat.
References
- “North Korean hackers stealing record sums, researchers say,” BBC, 2025.
- “North Korean hackers linked to a record-breaking cryptocurrency heist,” CNN, 2025.
- “North Korean hackers linked to a record-breaking cryptocurrency heist,” KCRA, 2025.
- “Chainalysis Report,” Chainalysis, Dec. 2024.
- “North Korean hackers linked to a record-breaking cryptocurrency heist,” The Record, 2025.
- [Placeholder for source 6, not provided in data]
- “North Korean hackers stole an estimated $1 billion in crypto in 2023,” CNBC, 2025.
- [Placeholder for source 8, not provided in data]
- “Evolving Tactics of North Korean Hackers,” Reuters, 2025.
